Enterprise Document Security with MOICE – Part I

Last year was a big year for Office documents. Office 2007 was launched, Office Open XML became an ECMA standard, and the security group for Office released a major service pack for Office 2003. Last year was also a big year for hackers who found one of the few remaining “Trojan horses,” in desktop security, malicious documents.

You might have heard the about some of the noise surrounding the Office 2003 SP3 update disabling support for some legacy file formats prior to Word 95. The controversy sparked a debate between the community around what it means for a document, file format, and application to be secure. After volleys were sent on both sides, it was pretty much agreed upon that the application, and not the file format, is mostly responsible for appropriately handling malicious code. After all, it’s the application that has to read and execute commands according the data stored. Office 2003 was the application that really didn’t handle document security well. Even with service packs, it would be very difficult to patch the application simply because it was compiled using an older compiler than Office 2007.

Even with the service pack, Office 97-2003 formats, which were not blocked, would be vulnerable in some targeted attacks. Enters to the stage, MOICE, Microsoft Office Isolated Conversion Environment. Ridiculous name I know, but even more ridiculous function or is it?

In the testing phase of OpenXML file handling, Microsoft’s security research center discovered something unique with the way Office 2007 handled malicious code in legacy documents. According to David Leblanc of MSRC,

“MOICE takes advantage of an effect we noticed while working on Office 2007 – when we get MSRC cases in, we have to check to see whether it affects each version, including new code. One of the things we noticed is that when we converted an exploit document to the new Office 2007 'Metro' format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we haven't seen any of those yet.”

Essentially, the way Office 2007 handled the document was more secure in large part to the architecture of Open XML. Leblanc, goes on to say that if companies had a way to “pre-process” documents that enter their environment from untrusted sources, there would a big leap in security where at present is, essentially, a giant gaping hole.

I could discuss how MOICE works in great detail, but I’ll save that for another day. To understand it at a high-level, all MOICE does is creates a sandboxed environment where it up-converts the file to Open XML stripping most malicious code, then down-converts it back to the legacy format, and hands the file off to the real signed application. During this process, even if some code got through and were to execute, it wouldn’t be able to do anything useful because it is sandboxed by the OS. The kicker is that all this is done transparently to the end-user—great concept huh?


By Viral Tarpara, IT Evangelist, Microsoft



Learn More About MOICE.

David LeBlanc’s Blog

Robert Hensing’s Blog

TechNet MOICE Resource

Comments (0)

Skip to main content